Personal data file related to the Aisti Health well-being service (hereinafter referred to as “Aisti Health”). Through the Aisti Health service, Aava contributes to the provision of well-being services to private persons, corporate customers and their employees.
If your employer or a corresponding party has ordered the Aisti Health service for your use, we process your email address received from the party referred to above in order to send a registration message concerning the initial use of the service.
Personal data is processed on the grounds of your express consent to the processing of your personal data in our Aisti Health service, including sensitive health data. Your personal data stored in the Aisti Health service is not transferred to the patient information system unless you agree on this separately with a health care professional.
The personal data you provide for the Aisti Health service may be used for profiling purposes. We use profiling and screening based on your personal data, including your responses to the well-being survey, in order to identify, for example, resources, risks and needs related to well-being so that we can better provide you with suitable occupational health and well-being services in a timely manner. We also use such data to target our marketing and to develop our services.
In connection with the provision of the Aisti Health service, we process the following personal data concerning you:
The information referred to above is necessary for the implementation of Aava’s well-being services and in order to enable contacts.
We process the following data concerning your health and well-being:
Your patient data is not processed in the Aisti Health service.
We collect personal data primarily from you (the data subject). In addition, we collect data generated in connection with the use of the Aisti Health service, as specified in this privacy statement.
If your employer or a corresponding party has ordered the Aisti Health service for your use, we obtain your email address as a disclosure from the party referred to above in order for us to provide you with information concerning the initial use of the Aisti Health service. In addition, said party may disclose to us unit specifications of organisations in order to enable the reporting of anonymised group-level results.
Furthermore, personal data may be collected and updated for the purposes described in this privacy statement based on data obtained from public sources and authorities or from other third parties within the limits of the applicable legislation. Such updating of data is carried out manually or through automated means.
In relation to service provision, we use subcontractors who process personal data on our behalf, with such subcontractors providing Aava with services related to well-being coaching and IT management.
As a rule, Aava does not transfer personal data outside the European Union or European Economic Area. For example, the processing of all sensitive personal data such as health data takes place in the European Union or European Economic Area.
However, some of our service providers operate outside the EU or EEA, and we transfer general personal data to them if it is necessary for the purposes referred to in this privacy statement. In these cases, we ensure the safety of personal data through contractual safeguards.
Only our employees who are authorised to process customer data as part of their work duties have the right to use the system containing personal data. Each user has a user ID and password for the system, with two-factor identification required for access. Data is collected into databases that are located in a network that is separated from the internet, with the databases protected by firewalls, passwords and other technical means. Data protection is tested on a regular basis so that we can ensure that the technical and organisational data protection measures are comprehensive and sufficient. The up-to-dateness of software programmes is monitored with automated tools. Servers, databases and their backups are located in secure premises, and information can only be accessed by pre-assigned persons who need access in order for them to carry out their work duties.
Aava’s personnel receives regular training on data security and data protection.
We retain your personal data for as long as you have an account in the Aisti Health service.
After this, personal data is irreversibly anonymised by compiling statistics and/or by removing all identification data. Anonymous (not possible to identify individuals) data is utilised for research and statistical purposes.
We regularly assess the need to retain personal data while considering the applicable legislation. In addition, we take reasonable measures to ensure that no personal data on data subjects that is incompatible with the purposes of processing or data that is outdated or inaccurate is stored in the register. We rectify or erase such data without delay at our own initiative or upon your request.
As a data subject, you have the right to check the data stored in the personal data file concerning you and demand that inaccurate, outdated or unlawful data be rectified or erased. In so far as you have personal access to your data, you can modify the data yourself. For processing based on consent, you also have the right to withdraw your consent at any time. Please note that a withdrawal of consent has no effect on the lawfulness of any processing that took place before consent was withdrawn.
Based on grounds relating to your particular situation, you also have the right to object to any processing concerning you when the processing of data is based on Aava’s legitimate interest. When presenting your demand, you must specify the particular situation based on which you object to the processing. We may refuse to comply with a request concerning an objection only based on grounds laid down in law.
As a data subject, you have the right to object to the processing at any time and at no cost, including profiling and direct marketing.
You always have the right to submit a complaint to a competent data protection authority. In Finland, this authority is the Data Protection Ombudsman, the contact details of which are available online at tietosuoja.fi.
All queries and requests concerning this privacy statement must be presented in writing or personally to the contact person specified in section two (2).